Endpoint Protection

So with 12.1 RU4 released, I thought it would be prudent to check and see if LiveUpdate Admistrator had any new products...sure enough, 12.1.4 is another line item that needs to be downloaded.

Just so I'm clear, if I want to update the definitions on a machine running 12.1.4, then I need to add this line item to the products section of my LUA? The line item for 12.1.2 will not get me the current definitions for 12.1.4, correct?

Thanks for any input...especially if someone knows why we keep getting new "Products" for LUA with almost every new SEP 12.1 release...are the definition sets THAT different?

-Mike

P.S. The main reason I gripe is that the LUA is not smart enough to purge old updates so my clu-prod folder just continues to grow and grow until I'm fed up with replicating 50 gigs of data to multiple network partitions...then I scrub the whole LUA install and start over. Suks...seriously suks.

Still waiting for the purge old updates feature/button...as I'm sure are many others.

The only addition I know of for RU4 was IPS signatures for the Mac (new feature for Macs in RU4).

I believe any def set for 12.1 will update any version of 12.1

Thanks for the reply Brian...

The main reason I ask all this is because I'm trying to thin my LUA downloads to just what I need to cover all my current clients.

Right now I'm grabbing the following Defs on my LUA:

SEP and SNAC 11

SEP and SNAC 12.1 RU2

and now SEP 12.1 RU4

It sure would be nice if there was one definition set that covered ALL the SEP 12.1 releases. For example when SEP 12.1.5 is released, the definition set that worked for it, also worked for 12.1.4, 12.1.3, 12.1.2...etc.

Maybe I'm missing something here? Should I ONLY be downloading the 12.1.4 definitions because it is already backward compatible so that my 12.1.1, 12.1.2 and 12.1.3 clients will ALL get current definitions from just the 12.1.4 set?

-Mike

To me, it doesn't make sense as to why RU4 would require a new def set..where is at for RU3 or RU2 MP1...idk, kinda confusing and I can't find much documentation to explain it but I could be missing it...

Mick2009 or some other LUA wizard care to fill in the gaps as to why LUA needs multiple SEP 12.1 products/downloads?

Hi Mike,

The purge of the Clu-prod folder should happen automatically can you check in Configure\Preferences if there is a schedule set for the purge of definitions in the Distribution Center.

Also this article can be interesting to manage the size of the updates: https://www-secure.symantec.com/connect/articles/managing-liveupdate-administrator-2x-space-usage

if the LUA is only used to update Windows SEP clients you only need to download and distribute the definitions for the clients, if the LUA is only used to update a SEP Manager only the definitions for the Manager have to be selected and if the LUA is updating only Windows machines, the MAC definitions can be deselected.

Hope it helps otherwise if you open a case with the technical support we can have a look on why the purges are not happening.

Hi Jgl2010,

Thanks for your input, but sadly it is a well known tidbit that the automatic purging of old LUA definitions does not work as many of us expect...and I don't believe it is the way my LUA is configured.

Others seem to have the same issue with ever growing LUA definitions as I do...

https://www-secure.symantec.com/connect/ideas/purge-now-button-liveupdate-administrator-2x

http://www.symantec.com/docs/TECH186728

I currently only save 1 revision and my clu-prod folder is well over 80GB...my last rebuild of the LUA was in January. If something is being purged, I sure can't tell.

-Mike

If someone sees an error in my configuration, I'd love to know it...

-Mike

Hi again Mike,

i think it can be worthwhile to open a case to the technical support to why these purges are not happening (there is a troubleshooting link in the LUA which will gather all the troubleshooting logs to provide to the technical support), i haven't checked for the distribution centers but i have tested recently the purges of the download folder and they worked for me.

About the Definitions for 12.1 RU4 unfortunately this article: http://www.symantec.com/docs/TECH211582  say that these definitions are necessary for 12.1 RU4 SEP clients but i would like to check if these definitions are only for MAC or for Windows too (i am home and i don't have an LUA to check)

But this article speaks about what i was mentioning regarding the selection of updates to select in the LUA: https://www-secure.symantec.com/connect/articles/liveupdate-administrator-product-selection-guide

Do you know if your LUA is set to download only the definitions needed in your environnement ?

That seems alright indeed...i think your best choice now would be to open a case with the Technical support so we can check why the purges are not happening in the Distribution center...80 Gb seems huge indeed...

especially if your only downloading

SEP and SNAC 11

SEP and SNAC 12.1 RU2

Hi Jgl2010,

I will ponder the prospect of putting in a support request, but again this is pretty common issue (at least I believe it is) and I would be more curious to know if your LUA (or anyones for that matter) has actually ever stopped growing. I speculate the answer is no...if the answer is yes, then maybe I am missing something. As may times as I rebuilt my LUA (not using the configuration recovery file), you would think that a default install (before I change the purge settings) would just work...it doesn't.

As mentioned above, I download updates for the following products because they are what I currently have to support.

SEP and SNAC 11
SEP and SNAC 12.1 RU2
and starting today SEP 12.1 RU4

I have to support Windows PC's, both Workstations and Servers, running almost every version of SEP 11 and SEP 12.1.x, as well as Macintosh machines running SEP 11 and 12.1.x.

-Mike

Hi again Mike,

Yes indeed there looks to be something wrong with the purges it is definitely worth checking it with the support.

and as there are also Mac machines to updated the Mac definitions have to be selected too indeed.

This article https://www-secure.symantec.com/connect/articles/liveupdate-administrator-product-selection-guide explains also that if it's only SEP clients that have to be updated by the LUA only the defintions for the clients have to be selected and not the definitions for the SEP Managers, is it only SEP clients that have to be updated or is there also some SEP management console ?

My SEP 11 SEPM's have been retired, but my SEPM 12.1 SEPM's are still fed by my LUA. So yes, I still need to download updates for the SEPM's as well as the clients.

Thanks for the suggestion.

-Mike

We have the same problem Mike. Our LUA Server is now full because the the automatic purging is not funtioning. Any related issue with this?

Regards,

JM

Hi Mike,

I might be able to provide some help.  &: )

First off, yes: if you have the new SEP 12.1 RU4 in your environemnt, then add that product to your LUA and distribution centers and begin to download the contents you need. 

About Symantec Endpoint Protection 12.1 RU4 Definitions in LiveUpdate Administrator 2.x
http://www.symantec.com/docs/TECH211582

The good news is that not every file is differnt in different SEP 12.1 releases.  Sometimes the format of the file changes and sometimes it remains the same.  If the same definition file is needed for different releases of SEP 12.1, LUA 2.x is smart enough to download it just once.  (It won't download it three times, for instance.  You won't be doubling or tripling the workload during migration to SEP 12.1 RU4, though there will be an increase).  A couple illustrations....

Regarding purging.... The files that are in the Distribution Center (DC) will have a corresponding entry in the LUA Postgresql database. Purging should work well enough in LUA 2.3.2, unless you have several LUA servers distributing to the same remote file server location.  If several LUA servers are copying materials to the same place, then there will be materials copied there which do not have corresponding entries in the database.  One LUA server won't know about everything and won't know to purge the contents it did not copy in.  Definitely do open a case if you are seeing excessive growth and retention of old files. 

Hope this helps!

Mick

Hi JM,

Other than the fact that the hard drive on our LUA server fills up, there are no other related issues. LUA 2.3.2.99 has easily been the most stable and least prone to breakage in the past five years. If it were not for the constant growth of the clu-prod folder, I would call this version of LUA perfect.

Thanks for being the first to validate my trouble with LUA.

-Mike

Thanks for the reply Mick, as usual when it comes to LUA, you reign supreme. The graphic above and the link (which I had never seen before) give me a much better picture of the whole process, it also tells me I've been neglecting the machines (less than 50) that are still running 12.1.1xxx. As a result I have added "Symantec Endpoint Protection v12.1" to my daily downloads. For someone with 5 years of LUA experience, the understanding of proper product selection has evaded me...hopefully no longer.

Before I put in a support request, can you please answer one question for me? Does the clu-prod folder in your test environment ever stop growing?

If my clu-prod folder grew to 20 GB and then leveled out, I would be fine with that. Old definitions out the back end, and new definitions in the front end...but it doesn't, and never has. You used the phrase above "Excessive Growth"...that leads me to think that it is normal for the clu-prod folder to always grow, just not "excessively". Is that true?

Anyway, thanks again for the reply and for filling a few gaps in my LUA knowledge.

-Mike

Many thanks, Mike!  Glad to help. &: )

The size of the clu-prod I am using creeps slowly up, because the size of the definitions themselves is ever-increasing as new threats are discovered and new protection added. 

Thanks for the clarification Mick,

No need to reply to this...just mumbling out loud.

I get that new definitions and product updates come every day, I think my heart burn was from the size of the growth over an extended period of time. In January, during my last rebuild of the LUA, I bet clu-prod was under 20GB, now at almost 80GB I'm back at the point of "Something Must Be Wrong"!! But maybe the numbers are all normal growth over time given my unique product selections and retention configuration.

I'm not prepared to go through the personal challenges that are associated with putting in a support request, so for now I'm going to blow away the LUA again, start clean with my new knowledge of judicious product selection, and then track the growth over time. In 6 months I will revisit the topic and see how the numbers actually look.

Thanks to everyone for the replies and the support. I hope others have gained from this dialog as much as I have.

-Mike